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(54) Method for establishing a key using over-the-air communication and password protocol 



(57) In the password protocol, the communicating 
parties exchange calculation results, which each in- 
clude an exponential, to generate a key In generating 
the calculation results, each party adds the password to 
their respective exponential. If the authorizing informa- 
tion previously sent by one party is acceptable to the 
other party, then this other party uses the key estab- 



lished according to the password protocol. The channel 
authorizing information is sent over a secure communi- 
cation channel. The secure communication channel is 
also used in other embodiments to verify a hash on at 
least one calculation result sent between the parties. If 
the hash is verified, then a key is established using the 
calculation results sent between the parties 
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Description 
Related Applications 

£0001] The following applications, filed concurrently 
with the subject application, are related to the subject 
application and are hereby incorporated by reference in 
their entirety: application no. unknown entitled METH- 
OD FOR TWO PARTY AUTHENTICATION AND KEY 
AGREEMENT by one of the inventors of the subjecl ap- 
plication; application no. unknown entitled METHOD 
FOR UPDATING SECRET SHARED DATA IN A WIRE- 
LESS COMMUNICATION SYSTEM by one of the inven- 
tors of the subject application; application no. unknown 
entitled METHOD FOR TRANSFERRING SENSITIVE 
INFORMATION USING INTIALLY UNSECURED COM- 
MUNICATION by one of the inventors of the subject ap- 
plication; and application no. unknown entitled METH- 
OD FOR SECURING OVER-THE-AIR COMMUNICA- 
TION IN A WIRELESS SYSTEM by one of the inventors 
of the subject application. 

Field Of The Invention 

[0002] The present invention relates to a password 
protocol and a method for establishing a key using over- 
the-air communication and, in one embodiment, the 
password protocol. 

Description Of Related Art 

[0003] in a wireless communication system, the hand- 
sets, often called mobiles, purchased by mobile users 
are typically taken to a network service provider, and 
long keys and parameters are entered into !he handset 
to activate service. The network of the service provider 
also maintains and associates with the mobile, a copy 
of the long keys and parameters for the mobile. As is 
well-known, based on these long keys and parameters, 
information can be securely transferred between the 
network and the mobile over the air. 
[0004] Alternatively, the user receives long keys from 
the service provider over a secure communication chan- 
nel, like a telephone/land fine, and must manually enter 
these codes into the mobile. 

[0005] Because the transfer of the long keys and pa- 
rameters is performed via a telephone/land line or at the 
network service provider as opposed to over the air, the 
transfer is secure against over the air attacks. However, 
this method of securely transferring information places 
certain burdens and restrictions on the mobile user 
Preferably, the mobile user should be able to buy their 
handsets and then get service from any service provider 
without physically taking the handsets to the provider's 
location or having to manually, and error free, enler long 
keys into the mobile. The capability to activate and pro- 
vision the mobile remotely is part of the North American 
wireless standards, and is referred to as over the air 



service provisioning 0 (OTASP). 

[0006] Currently, the North American Cellular stand- 
ard IS41 -C specifies an OTASP protocol using the well- 
known Diffe-Heliman (DH) key agreement for establish- 
5 ing a secret key between two parties. Fig. 1 illustrates 
the application of the DH key agreement to establishing 
a secret key between a mobile 20 and a network 1 0 used 
in IS41-C. Namely, Fig. 1 shows, in a simplified form for 
clarity, the communication between a network 10 and a 

10 mobile 20 according to the DH key agreement. As used 
herein, the term network refers to the authentication 
centers, home iacalion registers, visiting location regis- 
ters, mobile switching centers, and base stations oper- 
ated by a network service provider. 

is [0007] The network 10 generates a random number 
R N , and calculates (g A R w mod p). As shown in Fig. 1, 
the network 10 sends a 51 2-bit prime number p f the gen- 
erator g of the group generated by the prime number p, 
and (g^Rfyj mod p) to the mobile 20. Next, the mobile 20 

20 generates a random number R M , calculates (g A R M mod 
p), and sends (g A R^ mod p) to the network 10. 
[0006] The mobile 20 raises the received (g A R^ mod 
p) from the network 1 0 to the power R M to obtain (g A R|u_ 
R N mod p). The network 10 raises the received (g A R M 

25 mod p) from the mobile 20 to the power R N to also obtain 
(g A R M R N mod p). Both the mobile 20 and the network 
1 0 obtain the same resu It, and establish the 64 least sig- 
nificant bits as the long-lived key called the A-key, The 
A-key serves as a root key for deriving other keys used 

30 in securing the communication between the mobile 20 
and the network 10. 

[0009] One of the problems with the DH key exchange 
is that it is unauthenticated and susceptible to a man- 
in-the-middle attack. For instance, in the above mobile- 

35 network two party example, an attacker can imperson- 
ate the network 10 and then in turn impersonate the mo- 
bile 20 to the network 10. This way the attacker can se- 
lect and know the A-key as it relays messages between 
the mobile 20 and the network 10 to satisfy the author- 

40 jzation requirements. The DH key exchange is also sus- 
ceptible to off-line dictionary attacks, 
[0010] Another well-known protocol for protecting the 
over-the-air transfer of information, such as the A-key, 
is the Diffe-Heilman Encrypted Key Exchange (DH- 

4S EKE). DH-EKE is a password based protocol for ex- 
changing information, and assumes that both the mobile 
user and the network service provider have established 
a password prior to the over-the-air transfer. Unlike the 
DH key exchange system discussed with respect to Fig. 

so 1, the DH-EKE protects against man-tn-Ihe-middle at- 
tacks and off-line dictionary attacks. 
[0011] The DH-EKE will be described with respect to 
Fig. 2 r which illustrates the communication between the 
mobile 20 and the network 10 according to the DH-EKE 

55 protocol. As shown, the mobile 20 sends a 512-bit prime 
number p and the generator g to the network 10 along 
with (g A R M mod p) encrypted according to an encryp- 
tion/decryption algorithm ENC using the password P, 
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known to the mobile user and the network 10, as the 
encryption key. This calculation is represented as EWC P 
(g A R M mod p), The network 10 decrypts (g A R M nnod p) 
using the password R and calculates {g A R M modp) A R N , 
which equals (g A R M R N mod p). The network 10 selects 
(g A R M R N mod p), a hash of this value, or some portion 
thereof as a session key SK. 

[0012J Tne network 10 then sends (g A R N mod p) en- 
crypted according to ENC using the password P and a 
random number R N ' encrypted according to ENC using 
the session key SK to the mobile 20. The mobile 20 de- 
crypts (g A R N mod p) using the password P, and calcu- 
lates {g A R N mod p) A R M . which equals (g A R M R N mod p). 
Then, the mobile 20. selects {g A R M RN mod P)> the hash 
thereof, or a portion thereof as did the network 1 0 as the 
session key SK, Using the session key SK, the mobile 
20 then decrypts R N \ 

[0013] Next, the mobile 20 generates a random 
number R M *, encrypts the random numbers R M ' and R N ' 
according to ENC using the session key SK, and sends 
the encrypted random numbers R N J and R M ' to the net- 
work 1 0. The network 10 decrypts the random numbers 
R N ' and R M ' using the session key SK t and determines 
whether the decrypted version of R N ' equals the version 
of R N ' originally sent to the mobile 20. The session key 
SK is verified by the network 1 0 when the decrypted ver- 
sion of R N * equals the version of R N ( originally sent to 
the mobile 20. 

[0014] The network 10 then sends the random 
number R M * encrypted according to ENC using the ses- 
sion key SK to the mobile 20. The mobile 20 decrypts 
the random number R M ' using the session key SK, and 
determines wheth e r the calculated ve rsion of R M * equals 
the version of R M ' originally sent to the network 10, The 
session key SK is verified by the mobile 20 when the 
decrypted version of R M * equals the version of R M * orig- 
inally sent to the network 10. 

[0015] Once the network 10 and the mobile 20 have 
verified the session key SK, the session key SK is used 
as the A-key, and communication between the mobile 
20 and the network 10 is reconfigured using the A-key, 
[0016] While the DH-EKE protocol eliminates man-in- 
the-middle and off-line dictionary attacks, information 
may still leak, and an attacker may recover the pass- 
word R 

Summary Of The Present invention 

[0017] In the password protocol, the communicating 
parties exchange calculation results, which each in- 
clude an exponential, to generate a key. In generating 
the calculation results, each party adds the password to 
their respective exponential If the authorizing informa- 
tion previously sent by one party is acceptable to the 
other party, then this other party uses the key estab- 
lished according to the password protocol. The author- 
izing information is sent over a secure communication 
channel. By adding the password to the respective ex- 



ponentials, less information on the password leaks and 
the computation becomes more efficient. 
[0018] The secure communication channel is also 
used in other embodiments to verify a hash on at least 

s one calculation result sent between the parties. Unlike 
the password protocol, however, the calculation results 
do not include the password. If the hash is verified, then 
a key Is established using the calculation results sent 
between the parties. This verification process provides 

10 a measure of security prior to establishing the key. 
[001 9] The present invention has various applications 
including the wireless industry wherein the parties are 
a mobile user and a network. 



[0020] The present invention will become more fully 
understood from the detailed description given below 
and the accompanying drawings which are given by way 
so of illustration only, wherein tike reference numerals des- 
ignate corresponding parts in the various drawings, and 
wherein: 

Fig, 1 shows the communication between a network 
sb and a mobile according to the Diffe-Heilman key 
agreement; 

Fig. 2 shows the communication between a network 
and a mobile according to the Diffe-Heilman En- 
30 crypted Key Exchange protocol; 

Fig. 3 shows the communication between a network 
and a mobile user via a telephone/landline and a 
mobile according to a first embodiment of the 
35 present invention; 

Fig. 4 shows the communication between a network 
and a mobile user via a tefephone/landline and a 
mobile according to a second embodiment of the 
40 present invention; and 

Fig. 5 shows the communication between a network 
and a mobile user via a telephone/landline and a 
mobile according to a third embodiment of the 
4S present invention. 

Detailed Description Of The Preferred Embodiments 

[0021] The system and method according to the 
so present invention for establishing a key using over-the- 
air communication will be described as applied to a wire- 
less system. Namely, establishing a key between a mo* 
bile 20 and a network 10 using both a telephone/land 
line 30 and, according to one embodiment, a password 
ss protocol will be described. 

[0022] Fig. 3 illustrates the communication between 
(1 ) the network provider and the network 1 0, collectively 
referred to as the network 10, and (2) a mobile user via 
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a telephone/land line 30 and the mobile 20 according to 
a first embodiment of the present invention. As shown, 
via the telephone/land line 30 a mobile user provides 
the network 10 with authorizing information (e.g., credit 
card information for billing purposes). If the network 10 
accepts the authorizing information, the network 10 pro- 
vides the mobile user with a four (4) digit password P 
via the telephone/land line 30. It should be, however, 
that the password P may be more or less than four digits. 

{0023] The mobile user then enters this short pass* 
word P into the mobile 20 as part of an activation pro- 
gram. Using a random number generator, the mobile 20 
generates a random number R M , and using a pre-stored 
51 2-bit prime number p and the generator g of the group 
generated by the prime number p, calculates ((g A R w + 
P) mod p). 

[0024] The mobile 20 sends the prime number p and 
the generator g to the network 10 along with {(g A R M + 
P) mod p). Because ((g A R M + P) mod P) equals (g A R M 
mod p) + (P mod p) and the network 10 knows the pass- 
word P, the network 1 0 calculates {P mod p) and extracts 
(g A R M mod P) from ({g A Ry + P) mod p). After generating 
a random number R N , the network 10 calculates (g A R M 
mod p) a Rn> which equals (g A R M R N mod p). The network 
10 selects (g A RM R N mod Ph tne hash thereof, or a por- 
tion thereof as a session key SK. For example, if incor- 
porated in the IS41 protocol, the 64 least significant bits 
of (g A R M R N mod p) would be selected as a session key 
SK. 

[0025] The network 10 then calculates and sends 
((g A R N + P) mod p) to the mobile 20. The mobile 20, 
after extracting (g A R N mod p), "calculates (g A R N mod p) 
A R M , which equals (g A R M R N mod p). The mobile 20 se- 
lects (g A R M R N mod p), the hash thereof, or a portion 
thereof in the same manner as the network 10 as a ses- 
sion key SK. For example, if incorporated in the IS41 
protocol, the 64 least significant bits of {g A R M R N mod p) 
would be selected as a session key SK. 
[0026] Once the network 10 and the mobile 20 have 
the session key SK r the session key SK is used as the 
A-key, and communication between the mobile 20 and 
the network 10 is reconfigured using the A-key r 
[0027] The over-the-air exchange according to the 
present invention discussed above uses a password 
protocol (i.e., the transJers of ({g A RM + f 3 ) moci P) anc * 
((g A R N + P) mod p) in Fig. 3) which does not leak infor- 
mation to the degree that the DH-EKE protocol leaks 
information. Furthermore, this password protocol is se- 
cure because removing the effect of the password does 
not reveal anything. R M and RN are uniform random 
numbers. Raising them to g and then reducing by mod 
p also results in uniform and random numbers because 
of the permutation induced by exponentiation mod p. 
So, adding a P mod p to that number does not change 
the uniformity and randomness of the result All num- 
bers are equally likely, and removing the effects of other 
passwords also creates equally likely numbers, so there 



is no leaking of information. One skilled in the art will 
also appreciate that the password protocol discussed 
above is not limited in application to the over-the-air ex- 
change of information. For example, this password pro- 
5 tocol could be appfied to entity authentication and ses- 
sion key agreement, 

[0028] A second embodiment of the present invention 
will now be described with respect to Fig, 4. Fig. 4 illus- 
trates the communication between the network 10 and 

10 a mobile user via the telephone/land line 30 and the mo- 
bile 20 according to a second embodiment of the 
present inveniion. As shown, via the telephone/land line 
30 a mobile user provides the network 10 with author- 
izing information. If the network 10 accepts the auihor- 

*s tzing information, then when the mobile 20 issues an in- 
itialization request as part of the mobile's initialization 
procedure, the initialization process will continue, 
[0029] For example, the mobile 20 generates a ran- 
dom number R^, calculates (g A R^ mod p), and sends 

20 an initialization request along with (g A R M mod p) to the 
network 1 0, 

[0030] The network 10 generates a random number 

R N and sends (g A R N mod p) to the mobile 20, 

[0031] Both the mobile 20 and the network 10 per- 

2S forms h((g A R N mod p), {g A Rjyj rrtod p)), which is a col- 
lective hash on (g A R N mod p) and (g A R M mod P) using 
the well-known Secure Hashing Algorithm (SHA). It 
should be noted, however, that any hashing algorithm 
can be used. The mobile 20 displays the results of the 

30 hash, and the mobile user F via the telephone/land line 
30, gives the digits of the hash to the network 10. 
[0032] If the network 10 finds a match between the 
digits provided by the mobile user and the hash per- 
formed by the network 10, then communication is veri- 

35 fied and the A-key is established as (g A R M R N mod p), 
the hash thereof, or a portion thereof. Namely, the mo- 
bile 20 wilt have established the A-key as such, but the 
network 1 0 will only associate this A-key with the mobile 
20 if the hash is verified, 

40 [0033] As an alternative, or third embodiment, along 
with the authorizing information, the mobile user 20 sup- 
plies sufficient information (e.g,, the mobile's identifica- 
tion number, etc.) to the network 10 such that the net- 
work 1 0 can contact the mobile 20 and send (g A R N mod 

4S pj as an initial communication. 

[0034] This third embodiment is subject to a birthday 
attack; namely, half as many attempts by a man-in-the- 
middle need to be made to attack this protocol than one 
would initially assume. However, according to an alter- 
so native of the third embodiment, if the hash is changed 
to h((g A R M mod p), {g A R N mod p), (g A R M RN mod P})> 
then the attack is significantly stowed because the at- 
tacker must do exponentiation along with the hashes. 
[0035] As another alternative to the third embodiment, 

55 the hash performed to verify communication between 
the mobile 20 and the network 10 includes the identifi- 
cation number of the mobile 20. 

[0036] According to a further modification of the third 
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embodiment (i.e., a fourth embodiment of the present 
invention}, the mobile 20 does not send (g A R|yj niod p) 
to the network 10, as shown in Fig. 4, until after receiving 
{g A R N mod p) from the network 10. In the third embod- 
iment, the man-in-the-midd!e attacker was able to see 
both (g A R M mod p) and (g A R N mod p), and thus exploit 
the birthday attack. According to this fourth embodi- 
ment, the attacker has to commit to a (g A R N mod p} be- 
lore the mobile 20 responds with a (g A R M mod p). This 
reduces, by one t the attacker's degrees of freedom, 
[0037] Fig. 5 illustrates the communication between 
the network 1 0 and a mobile uservia the telephone/fand 
line 30 and the mobile 20 according to a fifth embodi- 
ment of the present invention. As shown, via the tele- 
phone/land line 30 a mobile user provides the network 
10 with authorizing information. As discussed above, 
along with ihe authorizing information, the mobile 20 can 
supply the network 10 with sufficient information (e.g., 
the mobile identifier, etc.) for the network 10 to make 
initial contact wilh the mobile 20, if ihe network 10 ac- 
cepts the authorizing information, then the initialization 
process will continue. 

[0038] The initialization process continues with one of 
the mobile 20 and the network 10 sending an initializa- 
tion request to the other party 

[0039] For example, if the mobile 20 sends the initial- 
ization request, then the network 10 generates a ran- 
dom number R N , calculates (g^ft^ mod p) and the hash 
of (g A R N mod p), and sends h(g A R N mod p) to the mobile 
20. The mobile 20 generates a random number R M , cal- 
culates {g A R M mod p). and sends (g A R M mod p) to the 
network 10. The network 10 in return sends (g A R N mod 
p) to the mobile 20, 

[0040] Next, the mobile 20 calculates the hash of the 
received (g A Rf4 mod p) ; and confirms whether this cal- 
culated version of h(g A R H mod p) equals the version in- 
itially received from the network 1 0. If confirmed, the in- 
itialization process continues. 

[0041] Namely, both ihe mobile 20 and the network 
1 0 perform h((g A R M mod p), h(g A R H mod p}). The mobile 
20 displays the results of the hash, and the mobile user, 
via the ielephone/land line 30, gives the digits of the 
hash to the network 10. 

[0042] If Ihe network 10 finds a match with the hash 
performed by the network 10, then communication is 
verified and the A-key is established as (g A R M R N mod 
p), the hash thereof, or a portion thereof. Namely, the 
mobile 20 will have established the A-key as such, but 
the network 10 will only associate this A-key with the 
mobile 20 if the hash is verified. 

[0043] As discussed above, instead of ihe mobile 20 
sending the initialization request, the network 10 sends 
the initialization request. IS the network 10 sends the in- 
itialization request, then the mobile 20 generates a ran- 
dom number R M , calculates (g A R N mod p) f calculates 
the hash of (g A R M mod p), and sends h(g A R M mod p) to 
the network 10. The network 10 in return generates a 
random number R Nt calculates (g A R N mod p) and sends 



(g A R N mod p) to the mobile 20. 

[0044] The mobile 20 sends (g A R M mod p) to the net- 
work 10, and the network 10 calculates the hash of 
{g A R M mod p). The network 10 then confirms whether 
s the calculated version of h(g A R M mod p) equals the ver- 
sion initially received from the mobile 20. If equal, the 
initialization process continues. 

[004S] Namely, both the mobile 20 and the network 
1 0 perform h((g A R H mod p), h(g A R M mod p)). The mobile 
io 20 displays the results of the hash, and the mobile user, 
via the telephone/land tine 30, gives the digits of the 
hash to the network 10. 

[0046] If the network 10 finds a match with the hash 
performed by the network 10, then communication is 

1$ verified and the A-key is established as {g A R M ^N mod 
p), the hash thereof, or a portion thereof. Namely, the 
mobile 20 will have established the A-key as such, but 
the network 10 will only associate this A-key with the 
mobile 20 if the hash is verified. 

20 [0047] As a further alternative, the final hash per- 
formed to verify communication between the mobile 20 
and the network 10 includes the identification number 
of the mobile 20. 

[0048] A man-in-the-middle attacker cannot use a 
25 birthday type atlack because when acting as the net- 
work 1 0 he has to commit to the exponential he is using 
(via the hash) before he sees the mobile users expo- 
nential Similarly, the attacker, when acting as the mo- 
bile 20, has to commit to the exponential before the vai- 
30 ue of the network's exponential, associated with the 
hash, is revealed. 

[0049] In some of the embodiments of the present in- 
vention, the prime number p and the generator g were 
assumed to be fixed and pre-stored in the mobile 20, 

3S However, if that is not the case, then the attacker can 
replace g and p with g 1 and p\ which will allow the at- 
tacker to calculate the discrete logarithm efficiently. If g 
and p are also sent over the air then they should also 
be used as part of the hash calculation, h(g,p, (g A R M 

40 mod p). (g A R w mod p)) in order to stop the substitution 
of g and p by the attacker. 

[0050] Furthermore, although each embodiment was 
described using a telephone/land line 30, other forms of 
secure communication could replace the telephone/ 
45 (and line 30. For instance, a previously activated mobile 
could replace the telephone/land line. Alternatively, but 
less secure, the telephone/land line communications 
could be performed over a voice channel between the 
mobile 20 and the network 10, and the remaining corn- 
so rnunication would occur over a control channel between 
the mobile 20 and the network 10. 
[0051] The invention being thus described, it will be 
obvious that the same may be varied in many ways. 
Such variations are not to be regarded as a departure 
55 from the spirit and scope of the invention, and all such 
modifications are intended to be included within the 
scope of the following claims. 
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Claims 

1 . A method of establishing a key at a first party using 
a password, comprising: 

(a) generating, at said first party, a first random 
number R M ; 

(b) producing a first calculation result by calcu- 
lating f(g A R M + P) mod p) } where P is a pass- 
word, p is a prime number, and g is a generator 
of a group generated by said prime number p; 

(c) sending said prime number p, said genera- 
tor g, and said first calculation result to a sec- 
ond party; 

(d) receiving a second calculation result equal 
to ((g A B|s) + P) mod p) from said second party, 
where R N is a second random number; and 

(e) establishing a key based on said second 
calculation result and said first random number, 

2. The method of claim 1, wherein said step (e) com- 
prises: 

(e1) calculating (P mod p); 

(e2) subtracting (P mod p) from said second 
calculation result of ((g A R N + P) mod p) to ob- 
tain (g A R N mod p); and 

(e3) establishing said key based on (g A R N mod 
p) and said first random number. 

3. The method of claim 1 , wherein said first party is a 
mobile in a wireless system and said second party 
is a network. 

4. The method of claim 1 . prior to said step (b) t further 
comprising: 

(f) sending authorizing information over a se- 
cure communication channel to said second 
party; and 

(g) receiving said password from said second 
party over said secure communication channel 
if said second party accepts said authorizing in- 
formation. 

B, Tho method of claim 4, wherein 

said first party is a mobile user in a wireless sys- 
tem and said second party is a network; and 

said secure communication channel is a land 



tine. 

6. A method of establishing a key at a first party using 
a password, comprising: 

s 

(a) receiving, at a first party, a prime number p, 
a generator g o! a group generated by sard 
prime number p, and a first calculation result 
from a second party, said first calculation result 

io being a result of calculating ({g A R^ + P) mod 

p), where P is a password and R M is a first ran- 
dom number; 

(b) generating a second random number RN; 

75 

(c) producing a second calculation result by cal- 
culating ((g A R N + P) mod p); 

(d) sending said second calculation result lo 
20 said second party; and 

(e) establishing a key based on said first calcu- 
lation result and said second random number. 

2S 7. The method of claim 6, wherein said stop (o) com- 
prises: 

(e1) calculating (P mod p); 

30 (e2) subtracting (P mod p) from said first calcu- 

lation result of ({g A R M + P) nnod p) to obtain 
(g A R M mod p); and 

(e3) establishing said key based on (g A R M mod 
3S p) and said second random number 

8. The method of claim S, wherein said first party is a 
network in a wireless system and said second party 
is a mobile. 

40 

9. The method of claim 6, prior to said step (a), further 
comprising: 

(f) receiving authorizing information over a se- 
45 cu re commun ication chan n el f rom said second 

party; and 

(g) sending satd password to said second party 
over said secure communication channel if said 

50 authorizing information is acceptable, 

10. The method of claim 9, wherein 

said first party is a network in a wireless system 
and said second party is a mobile user; and 

said secure communication channel is a land 
line. 
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11. A method of establishing a key at a first party, com- 
prising: 

(a) generating, at said first party, a first random 
number R M ; 

(b) producing a first calculation result by calcu- 
lating (g A R M mod p). where p is a prime number, 
and g is a generator of a group generated by 
said prime number p; 

(c) sending said first calculation result to a sec- 
ond party; 

(d) receiving a second calculation result equal 
to (g A R N mod p) from said second party, where 
R N is a second random number; 

(e) calculating a first hash of at least said first 
calculation result; 

(f) sending said first hash to said second party 
over a first secure communication channel; and 

(g) establishing a key based on said first ran* 
dom number and said second calculation re- 
sult. 

12. The method of claim 11, further comprising: 

(h) sending authorizing information to said sec- 
ond party over a second secure communication 
channel; and wherein 

said step (d) receives said second calculation 
result if said authorizing information is acceptable 
to said second party. 

13. The method of claim 12, wherein 

said step (h) sends an identifier for said first 
party along with said authorizing information; 
and 

said step (d) is performed one of prior to and 
concurrent with said step (c). 

14. The method of claim 1 3 ( wherein said step (c) is not 
performed until after said step (d). 

15* The method of claim 14, wherein 

said step (h) sends an identifier for said first 
party along with said authorizing information; 
and 



identifier for said first party, 

16. The method of claim 1 4, wherein said step (e) cal- 
culates said first hash as a hash of said first and 

5 second calculation results and (g A R N mod p) A R M - 

17. The method of claim 11 , wherein said step (e) cal- 
culates said first hash as a hash of at least said first 
and second calculation results. 

10 

18. The method of claim 11, wherein said first party is 
a mobile user in a wireless system and said second 
party is a network. 

75 19. A method of establishing a key at a first party, com- 
prising: 

(a) receiving a first calculation result from a sec- 
ond party, said first calculation result being a 
zo result a! calculating (g A R]^ mod p) where R^ is 

a first random number, p is a prime number, and 
g is a generator of a group generated by said 
prime number p; 

25 (b) generating a second random number R N ; 

(c) producing a second calculation result by cal- 
culating (g A R N mod p); 

3Q (d) sending said second calculation result to 

said second party; 

(e) calculating a first hash of at least said first 
calculation result; 

35 

(f) receiving a second hash from said second 
party over a first secure communication chan- 
nel; 

40 (g) verifying said second party based on said 

first and second hashes; and 

(h) establishing a key based on said second 
random number and said first calculation result 

-*5 if said second party is verified. 

20. The method of claim 1 9 t further comprising: 

(i) receiving authorizing information from said 
so second party over a second secure communi- 
cation channel; and wherein 

said step (d) sends said second calculation 
result to said second party if said authorizing infor- 
ms mation is acceptable. 
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said step (i) receives an identifier for said sec- 
ond party along with said authorizing informa- 
tion; and 

said step (d) is performed one of prior to and s 
concurrent with said step (a). 

22. The method of claim 21 , wherein said step (a) is not 
performed until after said step (d). 

10 

23. The method of claim 22 f wherein 

said step (i) receives an identifier for said sec- 
ond party along with said authorizing informa- 
tion; and 75 

sard step.(e} calculates said first hash as a hash 
of at least said first calculation result and said 
identifier for said second party. 

20 

24. The method of claim 22, wherein said step (e) cal- 
culates said first hash as a hash of said first and 
second calculation results and {g A R M mod p) A R N . 

25. The method of claim 19, wherein said step (e) cal~ 2$ 
culates said first hash as a hash of at least said first 
and second calculation results, 

26. The method of claim 19, wherein said first party is 

a network in a wireless system and said second par- so 
ty is a mobile user. 
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